Logs & Monitor
This chapter shows you how configure rules to create logs for specified conditions. You can use the powerful Logs & Monitor features in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to see logs and to monitor the effectiveness of QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency. Policies.
Overview of Logging
These events are logged. The table below describes features unique to event logs.
Non-Accounting Log Events
Log Event |
Data Returned |
Presentation |
Policy Mode |
---|---|---|---|
Connection Reject |
|||
QoS rejects a connection when the number of guaranteed connections is exceeded and/or when you have configured the system not to accept additional connections. |
The name of the matching rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. on account of which the connection was rejected. |
Generated as a reject log. Unified with the initial connection log. |
Recommended policy only. |
Running Out of Packet Buffers |
|||
One of the interface-direction's packet buffers is exhausted. A report is generated a maximum of once per 12 hours. |
A string explaining the nature of the problem and the size of the relevant pool. |
New log record created each time a global problem is reported. |
Recommended policy only. |
When a packet is dropped from an LLQ connection. A report is generated a maximum of once per 5 minutes. |
Logged data:
|
Unified with the initial connection log. |
Recommended policy only. |
The next table describes the features unique to accounting logs.
Explaining the Accounting Log
Logged |
Data Returned |
Policy Mode |
---|---|---|
General Statistics |
||
The total bytes transmitted through QoS for each relevant interface and direction. |
Inbound and outbound bytes transmitted by QoS. |
Recommended and Express policies. |
Drop Policy Statistics |
||
|
|
Recommended policy mode only. |
LLQ Statistics |
||
Statistics about the LLQ connection. |
Logged data:
|
Recommended policy mode only. |
These conditions must be met for a connection to be logged:
-
The QoS logging checkbox must be selected in the Gateway Properties - Additional Logging Configuration window. (By default this is automatically selected.)
-
The connection's matching rule must be marked with either Log or Account in the Track field of the rule. See Confirming a Rule is logged andTo Modify Tracking for a Rule .
Examples of Log Events
This section describes the log events.
Connection Reject Log
The connection is rejected because the rule exceeds the number of guaranteed connections, where Accept additional non-guaranteed connections is unchecked in the QoS Action Properties window (see QoS Action Properties ). The log will include the name as well as the class of the rule in the following format: rule_name: <class> <name>.
In the following example, the rule belongs to the class Best_Effort. The name of the rule (rule_name) is udp2.
Connection Reject Log - Example
Time |
Product |
Interface |
Type |
Action |
Information |
---|---|---|---|---|---|
15:17:09 |
QoS |
daemon |
log |
reject |
rule_name:Best_Effort->udp2 |
LLQ Drop Log
When a packet from the LLQ connection is dropped, LLQ information is computed and logged from the last time a log was generated. This information includes significant data logged from the relevant interface-direction. In the following example, the information logged includes:
-
s_in_llq_drops: The number of bytes dropped from the connection on the Server-In interface direction.
-
s_in_llq_avg_xmit_delay: The average delay computed for all the connection's packets that were not dropped on the Server-In interface direction.
-
s_in_llq_max_delay: The maximum delay of a connection packet that was not dropped on the Server-In interface direction.
-
s_in_llq_xmit_jitter: The maximum delay difference between two consecutive successfully transmitted packets of the connection on the Server-In interface direction. Any packets which are dropped in between the two successfully transmitted packets are ignored.
-
s_in_llq_recommended_delay: The default delay that can be entered into the Add Low Latency QoS Class Properties window in order to achieve a minimal number of dropped bytes.
LLQ Drop Log - Example
Product
Type
Information
QoS
log
s_in_llq_drops:3000
s_in_llq_avg_xmit_delay: 900
s_in_llq_max_delay: 1351
s_in_llq_xmit_jitter: 1351
s_in_llq_recommended_delay:2000
In the above example relevant data was observed only on the Server-In interface direction, therefore only Server-In counters are available.
|
Note -. There are several reasons why logging might not occur on a specified interface direction:
|
Pool Exceeded Log
A log for when the designated size of the ifdir pool is exceeded. In this example, the log shows:
-
An interface direction (ifdir) has a pool size of 8 fragments.
-
The interface name is E100B1, and the direction is outbound (outbound shown by the cube with an outward pointing arrow).
Pool Exceeded Log - Example
Product |
Interface |
Type |
Information |
---|---|---|---|
QoS |
E100B1 |
control |
info:Ifdir Memory Pool Exceeded Pool_size:8 |
Examples of Account Statistics Logs
Logs always include the segment_time information (the time from which the information about the log was gathered) in the Information column.
The Mandatory Fields in Account Logs
Product |
Type |
Information |
---|---|---|
QoS |
Account |
segment_time 8May2002 12:24:57 |
Account Logs may include any or all of the above information
|
Note - Only significant data is logged and presented in the same log record. |
General Statistics Data
These statistics include the number of bytes transmitted through QoS in any relevant interface direction. In the following example:
-
s_in_bytes: 5768 bytes were transmitted through QoS on the Server-In interface direction.
-
s_out_bytes: 154294 bytes were transmitted through QoS on the Server-Out interface direction.
General Statistics Data - Example
... |
Information |
... |
---|---|---|
|
s_in_bytes:5768 s_out_bytes: 154294 |
|
Drop Policy Statistics Data
The number of bytes dropped from the connection in any relevant interface direction as a result of drop policy are logged. The drop policy is aimed at managing QoS packet buffers, see WFRED Weighted Flow Random Early Drop. A mechanism for managing the packet buffers of QoS. Adjusting automatically and dynamically to the network traffic situation, WFRED remains transparent to the user. (Weighted Flow Random Early Drop). This includes the total number of bytes dropped from the connection since it exceeded its allocation. In the following example:
-
s_out_total_drops: 3914274 bytes were dropped from the connection as a result of drop policy, on the Server-Out interface direction.
-
s_out_exceed_drops: Out of total number of drops (s_out_total_drops)3914274 bytes were dropped from the connection because it exceeded its allowed number of fragments, on the Server-Out interface direction.
Drop Policy Statistics Data - Example
... |
Information |
... |
---|---|---|
|
s_out_total_drops:3914274 s_out_exceed_drops: 3914274 |
|